Mac Flashback Trojan - The Death of Mac Invincibility

I'm going to start by referring you back to the opening line of my blog Macs can be infected AND be carriers of malware where I said, "Yes, Macs CAN be infected. Period." That was Mar. 21, 2012 (16 days ago). Today, even the staunchest of "Macs can't get viruses." believers find themselves staring into the eyes of a colossal 620,000+ gorilla of an "I told you so."

Here's the executive summary:A Trojan is a computer infection that enters your computer by pretending to be something else. In this case, Flashback pretends to be an update for the Adobe Flash Player. Reports started 4 days ago and were confirmed today - Fri., Apr. 6, 2012 - by Kaspersky Labs. The full report is here: http://goo.gl/6zLzv.Using some complex reverse engineering techniques, the smarties at Kaspersky Labs watched as 620,000+ unique computers logged into the pretend Flashback mother-server they created. They know the count is close to accurate because Flashback uses each computer's unique ID in the process. In a nutshell, the breakdown appears to be:

So, let's cut to the chase... what to do? Here we go... step-by-step:

Step #1: Run Apple Software Update.

Click on the Apple logo in the top left corner of your Mac, then click "Software Update" and the process will look like this:

Then you'll see:

Click on "Show Details" and you'll get this:

Click "Install X Items" (you may have 1, 2, or more items to install). Let the process run:

Once the update has been installed (note that your Mac may or may not need to reboot, depending upon what other updates you have in the list) you'll see something like this:

Step #2: Disable Java in Safari and or Firefox.

Step #2a: Disable Java in Safari:

Start Safari, click on "Safari", then "Preferences", then "Security" to get here and UNCHECK "Enable Java":

Step #2b: Disable Java in Firefox:

Start Firefox, click on "Tools", then "Add-ons", then "Plugins" and in the list you are looking for this (the version number may be different):

Over on the right side of this Plugin bar click "Disable" to change it to this:

Step #3: Determine whether your Mac is infected.

***WARNING*** I'm going to walk you through entering commands into the Terminal program that directly and immediately affects your Mac's operating system. Entering the wrong command may damage your Mac. I have already run these commands on my Macs, but if you don't feel comfortable proceeding, contact your I.T. guy or gal and have them do this for you.

Click on Spotlight (the magnifying glass in the top right corner of your Mac) and type "terminal". In the search results under "Applications", click "Terminal". I'll show you the command that you can copy then paste into Terminal, the screen capture of each step and its result before proceeding to the next step... there are only three items to check:

The first command to copy is:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

The images below will extend into the sidebar to the right so they occupy the maximum width making them easier to see.

Paste that into Terminal so it looks like this (the name of your account and your Mac will appear where my name is):

Press the RETURN key.GOOD: If you get "does not exist" as the result then the infection has NOT happened through Safari.BAD: If instead of "does not exist" you get a path to the malware file, then your Mac IS infected through Safari.

Proceed by copying the second command into Terminal:

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

Press the RETURN key.GOOD: If you get "does not exist" as the result then the infection has NOT happened through Firefox.BAD: If instead of "does not exist" you get a path to the malware file, then your Mac IS infected through Firefox.

Proceed by copying the final command into Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Press the RETURN key.GOOD: If you get "does not exist" as the result AND you got that for the previous 2 results, then your Mac is NOT infected.BAD: If any one of the 3 results returned a path to the malware, then your Mac IS infected.

In Terminal, type "exit" and press RETURN, then quit the Terminal program:

Home | About Us | Testimonials | Services | Hero Blog | Sense of Humour | Contact Us | help@digitalhero.ca | 905-717-5498Privacy Policy:All services are rendered with the strictest of confidence. Your personal and or business information will never be shared with, or sold to, any third party.Terms and Conditions: Prices may change without notice. Shipping, additional costs as a result of client-requested changes and taxes are extra.